skip to main content

Wyndham, Hyatt, and the FTC's Top Ten List for Cybersecurity

In light of the recent data breach at Hyatt Hotels, which affected 250 hotels in 50 countries, we thought it timely to discuss the fallout from another hotel data breach: namely, the recent consent order entered in the FTC's action against the Wyndham hotel chain.[1] This post discusses the Wyndham consent order and FTC guidance based on numerous similar orders. If your business is not at least attempting to comply with the general best practices endorsed in the FTC consent orders, it could potentially make you more vulnerable in a post-data breach lawsuit by affected customers, shareholder derivative suit, or government action.

The Wyndham Consent Order.

In FTC v. Wyndham Worldwide Corporation, et al., the FTC sued Wyndham Worldwide Corporation and various subsidiaries ("Wyndham") in federal court. The FTC alleged the defendants violated 15 U.S.C. § 45(a), prohibiting "unfair or deceptive acts or practices," by representing to consumers that they had reasonable measures in place to protect their personal information against unauthorized access. In reality, the FTC claimed, Wyndham engaged in a inadequate data security practices that facilitated hackers access to customers' personal information, including credit card numbers, on Wyndham's computers, in three separate breaches from 2008-2010.

Wyndham challenged the FTC's statutory authority to regulate data security practices on a motion to dismiss. The district court denied the motion and, on interlocutory appeal, the Third Circuit affirmed. The appellate court held the FTC had authority to regulate data security practices under 15 U.S.C. § 45(a) and that Wyndham had fair notice its cybersecurity practices could subject it to liability under that statute.[2]

In December, the FTC and Wyndham agreed to a stipulated injunction, which the district court entered as an order (the "consent order"), requiring Wyndham to engage in improved cybersecurity practices and dismissing the litigation. In sum, the consent order requires that Wyndham, for the next 20 years:

  1. Establish a comprehensive written information security program. That program is to include designating an employee accountable for information security programs, preparing full risk assessment of threats to customers' credit card information, implementing "reasonable safeguards" to address the identified risks and regularly testing them, and selecting vendors with appropriate data protection policies.
  2. Obtain an annual assessment by an independent third-party of its compliance with the Payment Card Industry Data Security Standard, or any comparable standard approved by the FTC.
  3. Obtain a forensic investigation within 180 days of a data breach involving more than 10,000 payment card numbers.
  4. Obtain an independent assessor's approval of any "significant change" in its data protection policies. If Wyndham engages in a "significant change" (which the consent order does not define) in its policies between annual assessments, then it must receive the assessor's certification that the change does not cause Wyndham to fall out compliance with the last assessment.[3]

The FTC's Top Ten List Of Cybersecurity Best Practices.

Wyndham is far from the first company to have its cybersecurity policies challenged by the FTC after a breach, and then settle by stipulating to improve its cybersecurity practices. The FTC states it has entered into "50+ data security settlements."[4] Most recently, in addition to the Wyndham settlement, the FTC settled with Lifelock, Inc. after suing it for violating an earlier consent order requiring it to improve its allegedly poor data security practices.

In mid-2015, the FTC prepared a list of ten lessons learned from its enforcement actions, available at: https://ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

The FTC's top ten lessons are:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The FTC discusses each lesson in more detail at the link above.

In light of the Wyndham consent order, and the numerous orders before it, it will be increasingly difficult for companies to argue they lack notice of required cybersecurity best practices. Failure to comply with developing FTC standards may also be used against companies in post-data breach civil litigation by affected customers as evidence of negligence and in derivative shareholder lawsuits as evidence of directors' failure to comply with their fiduciary duties.

[1]https://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hotels/; http://krebsonsecurity.com/2016/01/hyatt-card-breach-hit-250-hotels-in-50-nations/http://newsroom.hyatt.com/news-releases?item=123450

[2] FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 240 (3rd Cir. 2015).

[3] See Stipulated Order for Injunction, Federal Trade Commission v. Wyndham Worldwide Corp., et al. C.A. No. 2:13-CV-01887-ES-JAD (Dec. 11, 2015).

[4] https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business